A Real World Negative SEO Case Study

Yesterday, someone explicitly threatened to launch a negative SEO attack against our website. Unless we pay a sum of money in the next 24 hours, our backlink profile will be flooded with toxic links.

(Honestly, it all sounds like the plot of a terrible James Bond movie. But I digress.)

steve bond

We have no intention of paying these people so I fully expect our site to be bombarded with unnatural links in the very near future.

And when that happens, I will use this post to document absolutely everything (e.g., a description of the attack, an analysis of its impact, recovery steps, etc.).

Since negative SEO continues to be one of the most hotly debated topics in our community (look here and here), I’m hoping this case study in-progress can contribute to that debate, while also serving as a comprehensive guide for diagnosing and recovering from a negative SEO attack.

With that in mind, let’s start from the beginning…

August 11, 2014

2:19pm CT — “Rannvijay Singh” (speed.seo.2014@gmail.com) sends us a very cryptic email through our site’s contact form:

Hi,

I found your website by searching Google with “seo tips” – I am interested to buy – can you please guide me ?

Thanks 357

There’s nothing particularly exciting about this email. It looks like just another spam message from just another spammer. A normal, sane person would delete it and never look back.

But I’m not a normal, sane person. I’m a masochist that spent years of my life fighting spam (no, seriously: that’s how I got those goofy letters after my name), and I genuinely enjoy “corresponding” with spammers.

(Unfortunately, I was really busy on the 11th so I completely forgot to respond to Rannvijay until…)

August 12, 2014

11:10pm CT — I send the following generic response (primarily because it’s always fun to see what a spammer’s second email will look like):

Hi Rannvijay,

Thanks for contacting us. Can you elaborate on what you’re interested in buying?

Thanks,
Steve

Nothing sexy here. Just a short and sweet message to let him know I value his spamming. Now, we wait…

August 13, 2014

2:29pm CT — Well, that didn’t take long. Rannvijay decides to take our relationship to the next level by sending me an absolute novel:

Hello,

Read this email very carefully.

This is an extortion email.

We will do NEGATIVE SEO to your website by giving it 20,000 XRumer forum profile backlinks (permanent & mostly dofollow) pointing directly to your website and hence your website will get penalised & knocked off the Google’s Search Engine Result Pages (SERP) forever, if you do not pay us $1,500.00 (payable by Western Union).

This is no false claim or a hoax, download the following Notepad file containing 20,000 XRumer forum profile backlinks pointing to http://www.negativeseo.cn.pn/ (this is our website and go and see on this website, you will find our email address speed.seo.2014@gmail.com from which this email right now is being sent to you) :

http://www.mediafire.com/download/eizjwnpq2rsrncu/20000-XRumer-Forum-Profile-Backlinks-Dofollow.txt

Just reply to this email to let us know if you will pay just $1,500.00 or not for us to refrain or not from ruining your precious website & business permanently. Also if you ignore this email and do not reply to this email within the next 24-48 hours, then we will go ahead and build 20,000 XRumer forum profile backlinks pointing directly to your website.

We are awaiting your wise decision.

RS

There is a lot to love about this “extortion email” so allow me to break it down line-by-line…

  • Hello,

    If you’re going to try to extort money from me, at least have the common courtesy to use my name. Come on Rannvijay, you’re better than that.

  • Read this email very carefully.

    I’m parsing it line-by-line in a blog post so I hope that’s careful enough for you.

  • This is an extortion email.

    This part of the email actually made me laugh out loud. “I’m totally trying to steal money from you right now.” I take it all back, Rannvijay: you’re the best.

  • We will do NEGATIVE SEO to your website by giving it 20,000 XRumer forum profile backlinks…

    I’ll be honest with you. I didn’t realize people were still using XRumer. Did I just wake up in 2012?

  • … your website will get penalised & knocked off the Google’s Search Engine Result Pages (SERP) forever…

    Forever? Like forever ever?! Now, you’re just being hurtful.

  • … if you do not pay us $1,500.00 (payable by Western Union).

    This is my favorite part of the email. Assuming I was dumb enough to pay the money, how would I even do so? Does Western Union know Rannvijay on a first name basis? Am I supposed to guess where to send the money? I feel like this extortion is being run by a bunch of 8 year olds.

  • This is no false claim or a hoax…

    I sure as hell hope not. I’ve already spent a lot of time reading this nonsense. And this blog post is going to look really silly if you don’t follow through with your threats.

  • … download the following Notepad file containing 20,000 XRumer forum profile backlinks pointing to http://www.negativeseo.cn.pn/ (this is our website and go and see on this website, you will find our email address speed.seo.2014@gmail.com from which this email right now is being sent to you) :

    http://www.mediafire.com/download/eizjwnpq2rsrncu/20000-XRumer-Forum-Profile-Backlinks-Dofollow.txt

    This is incredibly confusing. Why should I care about 20,000 backlinks that Rannvijay pointed at his own site? A monkey can generate XRumer links. Literally. A monkey.

    I really hope he’s planning to use that site (or any of those links) to launch the attack. That will make my job suuuuuuuuper easy.

    (P.S. It’s adorable that he referred to a text file as a “Notepad file” — kids say the darndest things.)

Anyway, since Rannvijay is very proud of his site and his spammy links, let’s take a look at them…

First, here’s a screenshot of the site:

negative SEO site

As you can see, it’s not much to look at. However, in addition to providing valuable “facts” about negative SEO, the site offers critical information about human growth hormones and the best company for tiling Marlborough, Massachusetts. Ladies and gentlemen, this is content marketing at its finest!

The best part of the site is the following line:

If you have any questions about negative SEO, then please feel free to email me to <speed.seo.2014@gmail.com>

I don’t know about you, but I have all kinds of burning questions about negative SEO. And now I have someone to answer them! Thanks Rannvijay!!!

(P.S. If anyone has negative SEO questions, leave them in the comments below. I’ll be happy to forward them on to Rannvijay. Also, feel free to email him yourself — I’m sure he’s willing to answer everyone’s questions.)

Next, here’s a screenshot of one of the XRumer links (if you want the full list of links, you can download it here):

profile spam link example

This is all pretty standard stuff. If you’ve ever performed a link audit for a penalized site, you’ve already seen much more exotic examples than this.

Anyway, let’s get back to the email…

  • Just reply to this email to let us know if you will pay just $1,500.00 or not for us to refrain or not from ruining your precious website & business permanently.

    Pay just $1,500.00? You mean I have the option of paying more?! Well, sign me up! And do you think you could say, “or not” a few more times. This sentence was way too easy to read… or not.

  • Also if you ignore this email and do not reply to this email within the next 24-48 hours, then we will go ahead and build 20,000 XRumer forum profile backlinks pointing directly to your website.

    That’s not very nice. What if I didn’t receive this email until after 48 hours? Rannvijay, I’m beginning to think you’re a real asshole.

  • We are awaiting your wise decision.

    That makes two of us. The “wise decision” would have been to stop reading this email after “Hello,” but we’re way past that now!

  • RS

    You’re too good to sign your full name?! That is officially the straw that broke this camel’s back. Game on, Rannvijay. GAME ON!!!

10:33pm CT — We receive the exact same email from a different email address (issmt1@yahoo.com). Call me crazy, but if I was trying to extort money from someone, I’d at least try to establish a consistent form of communication with that person.

Also, I’m curious if this second email means we received an extension on our payment deadline. Does the 24-48 hour time window start from the first email… or the second one? If we keep receiving emails, does that mean the timer will keep resetting?

These are the questions you’re forced to ask yourself when you’re dealing with 8 year olds.

August 14, 2014

1:55am CT — This post goes live.

At the moment, I’m just waiting for the attack to begin. I still haven’t responded to Rannvijay’s extortion emails (aside from my public line-by-line response above) because I want to see if the correspondence changes after 24-48 hours have passed.

Specifically, I’m wondering if Rannvijay will let me know when he’s launching the attack. Will he try to give me a last second discount?! Will he ever stop replacing “and” with &?!?!

7:19am CT — Apparently, Rannvijay wasn’t very selective with his affections. He’s been sending his emails to various members of the SEO community (look here and here).

10:27am CT — Rannvijay sends us a very brief follow-up email from the second address (issmt1@yahoo.com):

What did you decide ?

Well, I decided a few things, actually. First, I decided not to pay money to an imaginary Western Union account. Then, I decided to document this entire saga in a blog post. But most importantly, I decided that we can’t be friends. I’m sorry, Rannvijay.

And it’s not me… it’s most definitely you.

2:50pm CT — Multiple people have now received the same payment instructions (we received them, James posted them in the comments below, and Chris Dyson received them by trolling Rannvijay — more on that in a moment):

Pay $750 and $750 to the following 2 persons by WesternUnion and after you send the money by WesternUnion, then email me the 2 MTCN numbers, the exact amount to be received in Indian Rupees (currency) & the money sender’s full name and address and phone number.

Recipient 1 ($750.00) :

Full name : Samarendranath Das
Address : Acharya Prafullanagar, Pashchim Para, Rajpur, Sonarpur, Sonarpur
City : South 24 Parganas
PIN Code : 700150
State : West Bengal
Country : India
Mobile : +919831480728

Recipient 2 ($750.00) :

Full Name : Sanjay Das
Address : Acharya Prafullanagar, Pashchim Para, Sonarpur,
City : South 24 Parganas,
PIN Code : 700150
State : West Bengal
Country : India
Mobile : +919836255433

After you send the $750.00 + $75 0.00 by WesternUnion, then email me the 2 MTCN numbers, the exact amounts to be received in Indian Rupees (currency) & the money sender’s full name and address and phone number.

Confirm that you have received this email and confirm that you will pay and when you will pay ?

Since all 3 of us received the exact same instructions, I think it’s safe to say this information is correct. Now, we just need to think of creative ways to use that information.

In the meantime, let’s take a moment to praise our good friend, Chris Dyson. As I mentioned above, he’s been trolling Rannvijay all day, and here’s one of the emails Chris received:

Hi,

I have sent emails to 60+ webmasters about this negative SEO and some of them has responded positively and some of them have responded negatively. You are the only one who has responded anonymously. Those webmasters, who are responding negatively or not responding at all, will have their websites done with the negative SEO, including you, if you do not pay up.

Let me know what you think.

Cheers,

RS

This email is AMAZING for so many reasons. First, if Rannvijay is telling the truth, people have actually responded positively to his threats. I’m really hoping those people only “responded positively” to get contact information and payment instructions (like James, Chris, and I did) — and not to actually pay this idiot.

Second, I think it’s incredibly funny that Rannvijay is threatening an anonymous email account (Chris was trolling him with a generic Gmail address). “I don’t know who you are, but I’m still going to negative SEO the hell out of your site!” Kids will be kids.

August 17, 2014

9:24am CT — Nothing particularly exciting happened over the weekend. We haven’t received any new emails, and we still haven’t observed any changes to our backlink profile.

However, a few people posted interesting comments that are worth discussing. First, Aurelien posted a Facebook profile that might be associated with Rannvijay.

Here’s a screenshot of the profile:

Sanjay Das Facebook profile

As you can see, the profile has the same name (Sanjay Das) and almost the same address (North 24 Parganas instead of South 24 Parganas) as Recipient 2 in the payment instructions (see above). This might just be a huge coincidence, but it’s still interesting.

Second, Akshay provided various resources for reporting incidents of cyber crime in India. Most notably, here is the contact information for West Bengal (the state listed for both recipients in the payment instructions):

CID, Cyber Crime
West Bengal
Ph: +9133 24506163
e-mail: occyber@cidwestbengal.gov.in

If you also received these extortion emails from Rannvijay, feel free to use this contact information to report the extortion attempt to the local authorities.

Finally, Richard Baxter suggested I dig through our logs to identify Rannvijay’s IP address and user agent. I have to admit I’m embarrassed I didn’t do this from the very beginning (thank you for helping me pull my head out of my own ass). Anyway, the IP address is 115.187.45.145, and here’s the user agent:

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36

Now, let’s take that information and run with it…

Based on the user agent, Rannvijay is using a relatively updated version of Chrome on Windows 7. This result is not particularly helpful because a large percentage of our site’s visitors use that browser/operating system combination.

However, the IP address is much more interesting. Here are just a few network-related details:

IP: 115.187.45.145

ISP: Alliance Broadband Services Pvt. Ltd.

Address: Kolkata, West Bengal (28), India

Contact: Sk Akramul Alam
P-89 C.I.T Road
2nd Floor, Kolkata – 700014, India
Telephone: +91-33-39837800
Fax: +91-33-39829588
Email: ipadmin@alliancekolkata.com

This is even more evidence that the payment information (see above) actually contains legitimate addresses (if nothing else, it verifies that West Bengal is the appropriate Indian jurisdiction for reporting this incident as a cyber crime).

Also, it’s important to note that this IP address has a poor SenderBase email reputation score, and it used to appear frequently in the Project Honeypot database (it hasn’t appeared recently).

Anyway, this exciting saga continues…

What Do You Think?

As I mentioned at the beginning of the post, I fully intend to document everything that happens from here on out. If you have any comments or questions about anything, please let me know in the comments below.


steve
About The Author:  is an SEO audit specialist at Web Gnomes. He received his Ph.D. from Georgia Tech, where he published dozens of articles on Internet-related topics. Professionally, Steve has worked for Google and various other Internet startups, and he's passionate about sharing his knowledge and experiences with others. You can find him on Twitter, Google+, and LinkedIn.


Did you enjoy this article?


Make sure you don't miss the next one by subscribing to our blog.


Share it with your friends and colleagues:


72 Responses to “A Real World Negative SEO Case Study”

  1. Barrie August 14, 2014 at 2:39 am #

    Howdy ;)

    Seen it more time that I wish I had. Only on one occasion when the ransom was not paid did the spike in links follow.

    The thing was the links they did place and what they did was not a real negative SEO attack. It was like some pre pubescent teenager had $20 to waste on fiverr and bought some crap gigs.

    A proper NSEO attack would not look like, in my experience, what these guys did. Don’t know about the one that’s trying it on with you mate, but these other kids were just that, kids!

    That being said. The behavior is disgusting, immoral and should be criminalized. To “attack” a website knowing the behavior will implicitly effect the sites ability to generate revenue.

    There is a project going on at the moment to try to create a code of ethics for the industry. Unfortunately people like this would never subscribe to such a code and would always try this sort of tactics.

    One could argue that the introduction of Penguin gave a resurgence to the tactic which used to be know as Google Bowling back in the early days, now known as NSEO.

    I hope this spammer moves on. If he doesn’t and he does pull the trigger, then you have the skills to clean up his mess, why should you I know, but you have the skills.

    It’s the small businesses out there whom these incredulous parasites feed on that I feel sorry for and more mainstream coverage of this topic in easily digestible language for the layman is required to help alleviate concerns and give some core actions to, that is what is required, IMHO.

    Just my two cents ;)

    • steve August 14, 2014 at 7:55 am #

      Barrie… my brother from another mother!!!

      I couldn’t agree with you more. This email is despicable, and as far as I’m concerned, the perpetrators are soulless.

      Having said that, I’m hoping they actually launch the “attack” for a few reasons. First, as you mentioned, this is part of what we do for a living (i.e., cleaning up link spam — not creating it), and it would be useful for others to see how to handle this situation in the future.

      Second, I genuinely want to see what this particular “attack” will actually look like, and more importantly, I want to see what Google will do to our site in response. If something “bad” does happen, I’d much rather see it happen to us… and not someone outside of the industry.

      Your last point really hit the nail on the head. When I received this email, I started laughing. But I’m sure it would be absolutely terrifying for a small business owner that doesn’t know anything about SEO, negative SEO, link spam, etc. Again, if anything comes of this “attack,” I hope this post can help educate those business owners and minimize unnecessary terror.

  2. Joe August 14, 2014 at 2:41 am #

    I got the exact same correspondence and it looks like we’re not alone http://dejanseo.com.au/hello-extortion-email/.

    • steve August 14, 2014 at 7:58 am #

      Thanks for the heads up Joe!

      As Barrie mentioned above, it’s important to raise awareness about this situation so others won’t panic when it happens in the future.

  3. Yon August 14, 2014 at 7:38 am #

    Hey,
    Ridiculous. The sad thing isn’t any of what’s in his e-mail. It has about the same level of logic and reason as the Nigerian scammer e-mails.

    What’s sad about this is if and when they send it to enough people, someone will end up paying them.

    Oh if only negative SEO wasn’t a real thing *cough cough hint cough Google cough stop the madness cough*.

    • steve August 14, 2014 at 8:28 am #

      I agree with you Yon. It will be incredibly sad if someone actually pays these people.

      But look on the bright side… this extortion attempt has been woefully mismanaged. If I was Rannvijay, I’d fire my email marketing company, my developers, and pretty much everyone else associated with this debacle. ;-)

  4. Ria August 14, 2014 at 8:44 am #

    I wonder about the little things. Like, what made the guy change his email halfway through…?

    The cached version of his website also displays speed.seo.2014@gmail.com and not issmt1@yahoo.com.

    Mid-extortion rebranding? He seems like a very confused businessman. He can’t even decide whether he wants to be Botanical Slimming Soft Gel retailer or a tiler from Massachusetts.

    • steve August 14, 2014 at 9:00 am #

      These are all very important questions.

      And if you’re going to change your email address in the middle of an extortion, why would you change from Gmail to Yahoo Mail? I haven’t used Yahoo Mail since like 2004.

      “Mid-extortion rebranding” — I love it! I can’t wait for someone to write, “10 Marketing Lessons Learned From Extortion Emails” (actually, I take that back — I can absolutely wait for that… if you’re reading this comment, please don’t write that post).

  5. Ria August 14, 2014 at 8:54 am #

    I have a small suspicion… Just a tiny one. I have an inkling on who may be the one extorting you. But for obvious reasons, I shan’t post the name here because I could be wrong.

    • steve August 14, 2014 at 9:01 am #

      Feel free to shoot me an email (steve @ — or you can just use the contact form).

  6. Patrick Hathaway August 14, 2014 at 9:36 am #

    Hilarious! I heard a rumour the next season of 24 is based on a similar plot, with the President exclaiming ‘We don’t negotiate with spammers!’

    In all seriousness, I know a business that had it’s website ripped apart by negative SEO (not shit like this, ‘proper’ NSEO) and the sad fact is that they have now completely given up on organic search.

    Related to this is Google’s recent admission that they are not ready to launch the next Penguin update, which means all the sites who have cleaned up their acts since last October (NSEO victims included) will have to wait even longer to see any kind of turnaround.

    I do hope for everyone’s sake that in Penguin 3.0, or whatever it might be called, Google find some way to minimalise the impact of NSEO as it is currently wide open to abuse.

    • steve August 14, 2014 at 10:09 am #

      I’m trying to think of a less exciting plot for an action movie/television show, and I just can’t do it. ;-) Imagine what that show would actually look like… 24 hours of Jack Bauer frantically refreshing ahrefs/GWT/etc., crawling backlinks, and spamming Cutts or Mueller on Twitter/G+/etc. Actually, I take it all back. THAT SOUNDS AMAZING!!!

      On a more serious note, I agree with you 100% about Penguin. It’s absurd that we haven’t seen an update in 10 months. Unfortunately, I don’t have high hopes for Penguin 3.0. Google opened Pandora’s box when they decided to assign negative value to “unnatural” links (as opposed to just devaluing them), and now, they’re simply iterating on a fundamentally broken algorithm.

      • Patrick Hathaway August 14, 2014 at 10:36 am #

        Yep, I agree entirely, and still don’t understand why they didn’t even try an update where unnatural links were devalued/ignored.

        I know of some niches where new sites can slowly but surely rise to the top of the SERPs as all other competitors get blasted away by NSEO, only for themselves to then get hit and start again.

        Has anyone ever asked Google if they have tested that algorithm (as they claim to have tested one where they ignore links entirely).

        P.S. I was imagining Bauer triangulating Cutts’ location via Twitter check-in, snipers trying to pick him off as Chloe runs interference with millions of automated Reconsideration Requests, getting patched through to Rand Fishkin… it would be epic.

        • steve August 14, 2014 at 11:40 am #

          That makes two of us. Spammers gonna spam… no matter how severe the penalties are for “bad” links. So I’d much rather eliminate the false positives (e.g., NSEO victims). If we don’t catch as many spammers, so be it.

          Let’s just hope Penguin 3.0 isn’t a total clusterf…

          (I’m all-in for this idea. Cutts and Fishkin and snipers… OH MY! Hollywood will never be the same!!!)

  7. Josh August 14, 2014 at 11:03 am #

    Man, why couldn’t I get this email? I would love to play a cat and mouse game with these criminals.

    Possible to forward the email to me for me to rattle the cage on my own site(s)? :)

    • steve August 14, 2014 at 11:42 am #

      That’s the beauty of this situation… you don’t have to wait for them to email you. You can email them!

      Here are the email addresses I know so far:

      speed.seo.2014@gmail.com
      issmt1@yahoo.com

  8. Guido August 14, 2014 at 11:47 am #

    Same cut & Paste e-mail. and my 48 hours expired. still no action….. or not ;)

    • steve August 14, 2014 at 12:04 pm #

      Hahaha… well, that’s good news… or not. ;-)

      At this point, I’m genuinely confused about when my 48 hour window started (and when it might end). Rannvijay is currently writing the manual on how NOT to handle an extortion.

  9. Streko August 14, 2014 at 11:53 am #

    Unless you send me a pack of Newport cigarettes, $0.43 (in pennies) and a pencil I am going to post this comment. You have 3 minutes to respond…

    Ohh well, no cigs, pencil or pennies.

    Hitting Submit.

    • steve August 14, 2014 at 12:07 pm #

      Best. Comment. Ever.

      You would be the greatest extortionist the world has ever seen!!!

      • Streko August 14, 2014 at 12:28 pm #

        I do it for the children…

        … & the ladies.

        • steve August 14, 2014 at 12:53 pm #

          And the world is a better place because of it.

  10. James August 14, 2014 at 1:10 pm #

    “issmt1@yahoo.com .” wrote:
    Pay $750 and $750 to the following 2 persons by WesternUnion and after you send the money by WesternUnion, then email me the 2 MTCN numbers, the exact amount to be received in Indian Rupees (currency) & the money sender’s full name and address and phone number.

    Recipient 1 ($750.00) :

    Full name : Samarendranath Das
    Address : Acharya Prafullanagar, Pashchim Para, Rajpur, Sonarpur, Sonarpur
    City : South 24 Parganas
    PIN Code : 700150
    State : West Bengal
    Country : India
    Mobile : +919831480728

    Recipient 2 ($750.00) :

    Full Name : Sanjay Das
    Address : Acharya Prafullanagar, Pashchim Para, Sonarpur,
    City : South 24 Parganas,
    PIN Code : 700150
    State : West Bengal
    Country : India
    Mobile : +919836255433

    After you send the $750.00 + $750.00 by WesternUnion, then email me the 2 MTCN numbers, the exact amounts to be received in Indian Rupees (currency) & the money sender’s full name and address and phone number.

    Confirm that you have received this email and confirm that you will pay and when you will pay ?

    • steve August 14, 2014 at 1:46 pm #

      Excellent… we also received the same payment-related information. Thanks for sharing!

  11. James August 14, 2014 at 1:11 pm #

    Not the smartest extortionists perhaps.

    • steve August 14, 2014 at 1:47 pm #

      At this point, I think that’s a bit of an understatement. ;-)

  12. Nathan August 14, 2014 at 3:04 pm #

    Our company received one of these as well. We were all in stitches over this. My favorite part of all of this is his alias – http://en.wikipedia.org/wiki/Rannvijay_Singh. Unless that’s really THE Rannvijay taking up another profession…

    • steve August 14, 2014 at 3:24 pm #

      From the very beginning, I always assumed we were communicating with THE Rannvijay.

      Unfortunately, that dream died a few hours ago when we realized we’re dealing with Samarendranath Das and Sanjay Das (see the update on August 14, 2014 @ 2:50pm CT).

      Oh well… I’m going to keep living the lie. :-)

  13. Oleg August 14, 2014 at 3:44 pm #

    Funny that they provided you with the txt file with all the domain they were going to blast you with. With the disavow tool, they pretty much gave you the antidote for their negative seo lol.

    Amateurs.

    P.S. good to see you posting again :)

    • steve August 14, 2014 at 3:52 pm #

      Hi Oleg,

      It’s good to “see” you again.

      The .txt file is truly baffling. I’m assuming it’s meant to scare people, but they can’t really do anything with those specific links. Presumably, if they launch an attack against the “60+ webmasters” they’ve contacted, they’ll use fresh XRumer blasts (and it’s extremely doubtful that those will do any real damage).

      As you mentioned, it would be trivial to protect against the list they provided (and the negativeseo.cn.pn domain they control). Also, that would limit them to a single victim. But at this point, it’s impossible to underestimate their stupidity.

      In any event, you summed it up perfectly with your last comment: Amateurs.

  14. Adam August 14, 2014 at 4:29 pm #

    I have reported this to Google, I suggest you all do the same and hopefully they will close this account down and slow them down a bit – https://support.google.com/mail/contact/abuse?hl=en

    • steve August 14, 2014 at 5:27 pm #

      Here’s Google official response to this situation: http://searchengineland.com/google-responds-mass-negative-seo-extortion-emails-200689

      Here’s Google’s unofficial response to this situation: https://twitter.com/AdamGSteele/status/500024561443041280

  15. Laurence August 14, 2014 at 4:39 pm #

    We took a slightly different approach to you and Chris..my brother’s a bit of a comedian – do you think this might rile them even more – might they double the number of dodgy links?

    Hi Rannvijay,

    Thanks for your reply. I must admit I’m amazed at the costs of your service! Only $1,500 for 20,000 links??? That’s only 8p a link! What a bargain! How can you even afford to pay someone to do that for so little money is beyond me. Either you pay your guys a very minimum wage or they’re incredibly efficient coders. Which is it? I’d love to know your secret. We’ve got engineers here and they’d laughed at me if I asked them to add a link to a page for 8p! What CMS do you use? WordPress? I like WordPress. It helps make our website look pretty! :n)…….

    The response goes on for a bit longer and gets funnier! ….you can read the full reply here – would love to hear any funnier responses? http://bit.ly/Ya98W5

    • steve August 14, 2014 at 5:30 pm #

      I love it! You and your brother are making the world a better place. :-)

  16. Kevin Fivr August 14, 2014 at 5:11 pm #

    This reminds me of a time that I trolled a Craigslist spammer. He wanted my address to send me my “check” so I gave him the fbi headquarters address, and told him to make it out to the man in charge. haha. This one is classic though. Very funny. It would piss me off, but I’m glad you blogged it so we could all laugh at this idiot.

    I did not know about the disavow feature from google, thanks!

    • steve August 14, 2014 at 5:35 pm #

      I wish someone would send me a check addressed to “The Man In Charge” (that might even be my new goal in life).

      Unfortunately, the Disavow Links tool is the only real “defense” against negative SEO at the moment. And in a lot of ways, it’s equivalent to applying a band aid to a punctured artery.

  17. Streko August 14, 2014 at 5:18 pm #

    I wonder how many jaded SEO’s have sore asses saying to themselves “I am not included in the extortion scheme, wtf! My company is big enough, I speak at more shows then that guy, I have tweeted with Matt Cutts before and I have more facebook likes!” wahhh wahhh wahhhhhhhhhh

    • steve August 14, 2014 at 5:40 pm #

      I’m sure the size of that number would disgust you (and me).

      But we definitely didn’t receive the extortion email due to our popularity — we received it because our contact forms are too easy to scrape. ;-)

  18. Jon Tavarez August 14, 2014 at 5:19 pm #

    And this is a glimpse of the ‘internet mafia’ and how criminals all over the world are using the web to scam people.

    • steve August 14, 2014 at 5:45 pm #

      You’re absolutely right about the underground world of Internet crime.

      However, that crowd is typically WAY more sophisticated than our good friend, Rannvijay. If we assume real Internet criminals are working at the executive level… that means Rannvijay is working in the mail room. :-)

  19. Mozie August 14, 2014 at 9:42 pm #

    Hey Steve, it’s 4am here and I was about to go sleep when I saw your Google+ message appear, that’s some funny, crazy stuff man. I laughed so hard reading this. But yeah Negative SEO is a reality though, had 2 of my clients complaining about links they would never build which is the thousands which is a clear indicator of negative SEO. Thanks for the share though, almost woke my wife up! lol

    • steve August 14, 2014 at 9:52 pm #

      I’m really glad I could give you a good laugh before you went to bed. :-)

      Unfortunately, negative SEO is a reality. And Google consistently turns a blind eye to it, forcing site owners to fend for themselves.

      As I mentioned in an earlier comment, I really hope the next iteration of Penguin focuses more on eliminating false positives (even if it catches less spam). Hopefully, we’ll find out sooner rather than later.

      Thanks for the comment!

  20. Ali Raza August 15, 2014 at 8:23 am #

    The funniest blog post I’ve ever read about Negative SEO! :D
    I wish I could get that email with the link list. So I would allow him to go ahead and start the attack. I have the list so I can easily remove those links.. Lolz

    • steve August 15, 2014 at 8:55 am #

      Thanks Ali — I’m really glad you enjoyed it. :-)

      I think we can all agree that Rannvijay is dumb. But the list is only meant to scare site owners (I interpret his message this way: “Look at these terrible links I built for my site — if you don’t pay me, I’ll build similar links for your site.”). If he ever launches the actual attack, I’m sure he’ll use fresh links.

      Having said that, he might still send the list of attack links. He’s already done everything else wrong so why stop now? ;-)

  21. Benjamin Beck August 15, 2014 at 9:02 am #

    I’m glad this idiot is targeting SEO’s who know how to handle his horrible attempt instead of targeting poor mom & pop small business owners.

    Also thank you for publishing this, it’s good for Google to see this side of things.

    • steve August 15, 2014 at 9:24 am #

      I wholeheartedly agree. This is becoming a high profile example of negative SEO extortion, primarily because it targeted the SEO community (and now we’re all talking about it). Also, as you pointed out, if something “bad” does happen, this community is already very experienced with handling unnatural links.

      Moving forward, I really hope this situation helps educate small business owners about how to handle similar extortion attempts. And in a perfect world, I hope it motivates Google to finally take negative SEO more seriously (and stop “addressing” it with PR spin).

  22. Srihari Thalla August 15, 2014 at 9:31 am #

    It seems the contact numbers are some what legitimate!? Funny.

    http://www.truecaller.com/in/9831480728
    http://www.truecaller.com/in/9836255433

    • steve August 15, 2014 at 9:35 am #

      Feel free to give them a call… and let them know the Internet says, “Hi.” :-)

  23. Matt Green August 15, 2014 at 8:36 pm #

    When he calls it “your precious website” :D

    • steve August 16, 2014 at 7:04 am #

      … just one of the many lines that cracked me up. Rannvijay really is the best. ;-)

  24. Aurelien August 16, 2014 at 5:37 am #

    Hello,

    Feel free to send him a poke on Facebook, he will be happy : https://www.facebook.com/profile.php?id=100006729108699

    • steve August 16, 2014 at 7:13 am #

      That is AMAZING!

      And it actually matches the payment information (for the most part)… the profile has the same name (Sanjay Das) and almost the same address (North 24 Parganas instead of South 24 Parganas) as Recipient 2.

  25. Akshay August 16, 2014 at 12:30 pm #

    Stupid People, look at the info of their fb profile Aurelien, Worked at Bussenessman, what is this bussenessman :-/

    You can report the extortion case to Cyber Cell, the person has provided the address.. you can contact west bengal cyber crime department.

    West Bengal

    CID, Cyber Crime
    West Bengal
    Ph: +9133 24506163
    e-mail:occyber@cidwestbengal.gov.in

    Complete list and other info for reporting such issues in India : http://infosecawareness.in/cyber-crime-cells-in-india

    We should teach these kids a lesson.

    • steve August 17, 2014 at 10:04 am #

      Thanks for the information Akshay… that is very useful!

      I’ve updated the post to include the contact details for the West Bengal Cyber Crime department.

  26. Richard August 16, 2014 at 12:30 pm #

    Bit disappointed we haven’t received anything.

    Extortion is a crime pretty much everywhere – I myself would prefer not to end up in an Indian jail.

    Dig through your logs Steve, let’s take a look at their ip address / UA.

    Richard

    • steve August 17, 2014 at 10:07 am #

      Thanks for the suggestion Richard… my brain has obviously been broken for the past few days.

      I’ve updated the post with the IP address and user agent information… along with a few more relevant details.

      • Richard August 17, 2014 at 3:26 pm #

        No worries mate, next:

        Keep that ip. Check it in maxmind. To verify: send a new response during working hours (in India) with a unique url in the email. Check it again. You might just be able to find his employer… I’ve caught people like this using exactly the same technique. The stupid are easy to catch on the Internet.

        PS: You may want to temporarily redact this comment until you’ve found the little bastard.

        • steve August 17, 2014 at 3:40 pm #

          I already included the ISP information in the post — and unfortunately, it appears to be a generic provider (http://alliancekolkata.co.in/).

          I’ll contact them (and the West Bengal Cyber Crime department) to see if they’ll map the dynamic IP for the time period in question… and then we should have a more definitive identify.

  27. Brett T. Smith August 17, 2014 at 3:59 pm #

    Hey Steve – thanks for sharing all this detailed information. I fear that there will be an entire industry of cyber criminals like this that will be launched if anyone follows through and pays these guys.

    I do feel that Google will also have to adjust their filters to prevent these attacks from actually working. If a site has the right types of trust signals and a clean link history these types of attacks should be able to be algo filtered without any harm coming to the ranking site BUT – I don’t think Google is there yet.

    Thanks again for the transparency as it helps the community look out for these types of cyber crimes and learn how to deal with negative SEO.

    Take Care,
    ~Brett

    • steve August 17, 2014 at 6:46 pm #

      Thanks for the comment Brett!

      Unfortunately, these types of extortion attempts are already relatively common, but they don’t receive a lot of media attention because they typically target an individual organization (and that organization wants to keep everything quiet to avoid copy cats).

      I genuinely hope this extortion attempt helps convince Google to take negative SEO more seriously (but I’m not holding my breath).

      Rannvijay’s proposed attack is very weak, and it probably won’t have much of an impact (assuming he ever launches it). However, much more sophisticated negative SEO attacks are possible, and they will continue to pose a risk to webmasters until Google takes action (e.g., devaluing/ignoring unnatural links instead of assigning negative value to them).

  28. Shaal August 17, 2014 at 4:46 pm #

    OMG, you have no idea how much fun i had calling one of the guys on his actual phone number.

    I called to the guy in the blog post with his phone number named Sanjay, he picks up the phone and i go is that Sanjay, and he’s like who is this. I explain i got an email from you regarding Negative SEO attack and he goes like oh yeah yeah yeah… Are you Chris. I am like this is none of your business, and he actually thought i was being nice. So he goes, yeah you were suppose to send me money yesterday, and i go, “Are you out of your $#%#%#$ mind?” – he goes WHAT? – I repeat. Why would i pay you? – He said, how did you get my number? – I said its in the email you sent me with your address and full name and details. I read him out all the details and he was blank…. then a plot twist, my accent is quite weird and usually no one gets it where i am from, but i can speak fluent Hindi, so i start in hindi, and well, the guy nearly shat his pants…. and hung up after we exchanged a couple of F bombs in Hindi.

    So, it means: The number is for real, the address is for real, everything is there. Lets get them arrested.

    Will be waiting on the updates.

    • steve August 17, 2014 at 6:50 pm #

      That’s a pretty great story… thanks for sharing!

      I’m going to forward all of the information we have to the West Bengal Cyber Crime department, and I’ll definitely keep updating the post as things continue to unfold.

  29. Todd Foster August 17, 2014 at 5:47 pm #

    I had the same message through my site. I never replied so he did not threaten me.

    From: Rannvijay Singh
    Subject: I Want To Buy.

    Message Body:
    Hi,

    I found your website by searching Google with “best seo services” – I am interested to buy – can you please guide me ?

    Thanks 465

    • steve August 17, 2014 at 6:54 pm #

      That’s very interesting. We know a lot of other individuals received the extortion emails (“60+ webmasters,” according to Rannvijay), but we don’t know how many of them responded to an initial “I Want To Buy” email (we’re obviously in that group — as described in the post).

  30. Richard August 18, 2014 at 1:12 am #

    You’ve *got* to record these calls. The entertainment value alone! Amazing.

    • steve August 18, 2014 at 7:59 am #

      I agree… the audio associated with Shaal’s call (shown in a comment above) might actually be worth the original $1,500. ;-)

  31. Cédric August 18, 2014 at 2:10 am #

    Hello,

    The real problem is old forums with no moderators. This is the perfect space to put SPAM messages, … Old blogs and forums are really dangerous regarding Negative SEO.

    What are the footprints of XRumer ? How to detect messages from this software ?

    Thanks

    • steve August 18, 2014 at 8:10 am #

      Fortunately, the footprints for older tools like XRumer are much easier to identify automatically. For specific examples, look at the list of links Rannvijay sent us (you can download it here).

      It’s relatively easy to build a classifier that identifies those forum profile links. Then, you just need to crawl your backlink profile and use the classifier to identify similar types of suspicious links. Once you’ve identified those links, you should disavow them (to help prevent search engines from associating the links with your site).

  32. Leith August 18, 2014 at 6:38 am #

    Hey mate,

    I did some digging with this and I found out that this guy was selling his services at at: http://www.blackhatworld.com/blackhat-seo/seo-link-building/694911-annihilate-google.html

    I called him out straight away as what he is doing is completely ridiculous and not the way to make money online.

    I hope he gets what he deserves.

    Good day.

    • steve August 18, 2014 at 8:18 am #

      Thanks for the update Leith… I agree with you 100%.

      There are so many ways to make money online — extortion shouldn’t be one of them.

      Thanks again for the comment!

  33. Amod August 19, 2014 at 12:33 am #

    Steve,
    If you would like to pursue this legally, it would be nightmare. (I am from India!) The cyber law scene in India is pathetic at best.

    If you really want to catch this guy, try to find one of your blog readers, or some contact in West Bengal (it’s a State in North East of India).

    Overall, West Bengal itself is one of the worst state, poverty ridden, unemployment and suffering from a major illegal migrant problem.

    It’s not odd that the attacker is from this state!

    • steve August 19, 2014 at 8:48 am #

      Unfortunately, it is proving difficult to report this incident to anyone in West Bengal (as you mentioned). We have tried to contact the West Bengal Cyber Crime department, but we still haven’t received a response. We’ll let you know if anything changes on that front.

Leave a Reply